---

# Ensure a user, queue, and bindings for that queue exist in RabbitMQ.
# This is intended to be something most applications can use, but if you need
# more flexibility, just use the rabbitmq_* modules directly.
#
# Required parameters:
#
#   - username (str): the username to create in RabbitMQ, which should match the
#                     CN of the certificate.
#   - queue_name (str): The name of the queue to create. This must be prefixed
#                       with your username. For example, with a username of
#                       "bodhi", your queue could be named "bodhi_masher".
#   - routing_keys (list): A list of strings to use as routing keys.
#
# Optional parameters:
#
#   - write_queues (list): A list of queue name prefixes to which the user will
#                          be allowed to publish.
#   - thresholds (dict): A dictionary with two keys: "warning" and "critical".
#                        The values are numbers. Generate an alert in Nagios if
#                        the number of messages go above these values.

- name: Validate parameters
  assert:
    that:
    - "queue_name.startswith(username)"
    fail_msg: "Your queue name must be prefixed with your username"
  tags:
    - fedora-messaging
    - rabbitmq_cluster

- name: Validate the user parameter
  assert:
    that:
    - username != "admin"
    - username != "guest"
    - username != "nagios-monitoring"
    fail_msg: "This user name is reserved"
  tags:
    - fedora-messaging
    - rabbitmq_cluster

- name: Prepare the topic permissions dict
  set_fact:
    topic_permissions:
      - vhost: "{{ vhost }}"
        read_priv: .*
        write_priv: "{{ sent_topics }}"
  tags:
    - fedora-messaging
    - rabbitmq_cluster
  when: env == "staging" and sent_topics

- debug:
    msg: "Topic permissions: {{ topic_permissions|default([]) }}"
  when: topic_permissions is defined
  tags:
    - fedora-messaging
    - rabbitmq_cluster

# See https://www.rabbitmq.com/access-control.html#permissions for details on
# the RabbitMQ permissions configuration.
- name: Create the {{ username }} user in RabbitMQ
  delegate_to: "{{ rabbitmq_server }}"
  community.rabbitmq.rabbitmq_user:
    user: "{{ username }}"
    vhost: "{{ vhost }}"
    # Read from queues prefixed with their name and bind to the topic exchange
    read_priv: "^(zmq\\.topic)|^(amq\\.topic)|({{ username }}.*)$"
    # Write to queues prefixed with their name and any prefixes in
    # write_queues, and publish to the topic exchange
    write_priv: "^(amq\\.topic)|({{ username }}.*){% for queue in write_queues|default([]) %}|({{ queue }}.*){% endfor %}$"
    configure_priv: "^$"  # No configuration permissions
    topic_permissions: "{{ topic_permissions|default([]) }}"
    state: present
  tags:
    - fedora-messaging
    - rabbitmq_cluster

- name: Create the {{ queue_name }} queue in RabbitMQ
  delegate_to: "{{ rabbitmq_server }}"
  rabbitmq_queue:
    name: "{{ queue_name }}"
    vhost: "{{ vhost }}"
    auto_delete: no
    durable: yes
    message_ttl: "{{ message_ttl }}"
    state: present
    login_user: admin
    login_password: "{{ (env == 'production')|ternary(rabbitmq_admin_password_production, rabbitmq_admin_password_staging) }}"
  tags:
    - fedora-messaging
    - rabbitmq_cluster

- name: Bind the {{ queue_name }} queue to the amq.topic exchange
  delegate_to: "{{ rabbitmq_server }}"
  rabbitmq_binding:
    name: "amq.topic"
    destination: "{{ queue_name }}"
    destination_type: queue
    routing_key: "{{ item }}"
    vhost: "{{ vhost }}"
    state: present
    login_user: admin
    login_password: "{{ (env == 'production')|ternary(rabbitmq_admin_password_production, rabbitmq_admin_password_staging) }}"
  loop: "{{ routing_keys }}"
  when: routing_keys is defined
  tags:
    - fedora-messaging
    - rabbitmq_cluster

# This can be removed when we're done with fedmsg and the bridges are retired.
- name: Bind the {{ queue_name }} queue to the zmq.topic exchange
  delegate_to: "{{ rabbitmq_server }}"
  rabbitmq_binding:
    name: "zmq.topic"
    destination: "{{ queue_name }}"
    destination_type: queue
    routing_key: "{{ item }}"
    vhost: "{{ vhost }}"
    state: present
    login_user: admin
    login_password: "{{ (env == 'production')|ternary(rabbitmq_admin_password_production, rabbitmq_admin_password_staging) }}"
  loop: "{{ routing_keys }}"
  when: routing_keys is defined
  tags:
    - fedora-messaging
    - rabbitmq_cluster

- name: Monitor the {{ queue_name }} queue in Nagios (NRPE)
  when: thresholds and env == "production"
  delegate_to: "{{ rabbitmq_server }}"
  template:
    src: nrpe.cfg.j2
    dest: /etc/nrpe.d/check_rabbitmq_queue_{{ queue_name }}.cfg
    owner: root
    group: root
    mode: 0644
  notify: restart nrpe on rabbitmq
  tags:
    - fedora-messaging
    - rabbitmq_cluster

- name: Monitor the {{ queue_name }} queue in Nagios
  when: thresholds and env == "production"
  delegate_to: "{{ nagios_server }}"
  template:
    src: nagios.cfg.j2
    dest: /etc/nagios/services/rabbitmq-queue-{{ queue_name }}.cfg
#  notify: restart nagios on noc
  tags:
    - fedora-messaging
    - rabbitmq_cluster
